THE AUTOX SAFETY FACTOR

THE AUTOX

PUBLISHED 2018

SAFETY FACTOR

Democratizing Autonomy

Bringing Self-driving Technologies to Everyday Life

The AutoX Safety Factor 3

Cars play a central role in our lives. Each year, we spend an increasing

number of hours behind the wheel, a trend that may continue unless

drastic changes are made. Yet when we consider how much time is

spent driving to meet our needs, an unmistakable pattern emerges:

driving is rarely more than just a means to an end.

In the world that AutoX envisions, autonomous vehicles connect us

by allowing us to transport physical items to and from one place to

another. Even today, lending a friend a salad bowl, a socket wrench,

or an Xbox controller still means a visit to the purgatory of traffic. By

handling the less pleasant part of the process, AutoX’s autonomous

vehicles can make the thought of sending a gift basket to your friend

the warm, happy one that it always intended to be.

Communities are strengthened by passionate people who strive

to share their works of love with others. The local artisanal baker

who has been exploring new recipes will be overjoyed to send their

regulars samples via autonomous vehicles as soon as the first batch

is out of the oven. Florists, coffee shops, restaurants, and nearly every

other business will benefit from our ability to share their products

and creations with their communities in a safe, affordable, and pain-

free way - and so will the communities that they serve. With AutoX

providing the means, the ends are truly limitless.

On average, every cubic meter of goods travels 2.1 miles to be delivered in the traditional B2B

model1.

2.1 Miles

In New York City, drivers on average spend 107 hours per year searching

for parking spots2.

107 Hours

The average person spends 60 hours per year shopping in grocery stores3.

60 Hours

SERVING OUR COMMUNITY WITH

AUTONOMOUS DELIVERY

AutoX envisions a world where self-driving cars take care of the means, freeing you up to enjoy the ends.


Not long after the first motorcar was invented, human

beings began to consider the possibility of making them

autonomous. In 1925, inventor Francis P. Houdina publicly

demonstrated his radio-controlled driverless car, American

Wonder, in the streets of New York City, traveling up

Broadway and down Fifth Avenue through heavy traffic4.

This marked the beginning of humankind’s aspiration for

driverless vehicles. Since 2013, more and more pioneers

have spearheaded the efforts of making self-driving cars a

reality. Level 2 and Level 3 assistive-driving vehicles5 are now

being driven on the road. It seems inevitable that manual

driving will someday be a thing of the past. Rather than

driving to get the things we need, we have them come to us

autonomously.

The next few decades will represent a transition period

where humans and fully autonomous A.I. drivers are

THE WORLD IN

TRANSITION

First Self-driving Car System on the Road

(Dean Pomerleau and Todd Jochem)

All Human Drivers Human Drivers and A.I. Drivers

All A.I. Drivers

Big Manufacturers Dive In

We are here Fully Autonomous Vehicles and Smart

Traffic Network

1995 2013 2018 Future

driving together, co-existing and sharing the road. The

U.S. Department of Transportation has decreed that

the freedom of the open road will be protected and

enhanced. This includes the freedom for everyone to

drive their own vehicles6. The unprecedented sharing

of our roads between humans and computers is the

reason AutoX is pushing the limits of cutting-edge A.I.

technologies to ensure the safety of everyone involved.

We have developed a smart hybrid system, which

introduces a vital human element into the autonomous

driving technology, so that we may better serve our

community.

Autonomous driving technology, like most life-changing

innovations, unleashes limitless possibilitites for the

future. AutoX is pushing hard to build safe self-driving

cars that will share the road with everyone.


We composed this voluntary safety self-assessment report to share our

approach to achieving safe autonomous vehicle testing and future deployment

based on the voluntary guidance of A Vision for Safety, Automated Driving System

2.0 and Preparing for the Future of Transportation, Automated Vehicles 3.0. We

open with a general introduction to AutoX’s approach to building a safe and

reliable self-driving delivery platform. Next, we highlight our redundancy-

based system design for ensuring safety. Then, we introduce our testing and

validation methods as well as our safety process and policy. Finally, we address

considerations in public safety on the road, including our designed post-crash

behavior and our engagement plan for first responders.

THE VOLUNTARY SAFETY SELF-ASSESSMENT REPORT

1. Statista. https://www.statista.com/statistics/781119/parcel-delivery-mileage-urban-commercial-transport/2. Drivers spend an average of 17 hours a year searching for parking spots. https://www.usatoday.com/story/

money/2017/07/12/parking-pain-causes-financial-and-personal-strain/467637001/3. Who Does the Grocery Shopping, and When Do They Do It. Jack Goodman. The Time Use Institute. http://

www.timeuseinstitute.org/Grocery16paper.pdf4. Time Magazine. Science: Radio Auto. Aug 10, 1925. Retrieved 29 September 2013. 5. SAE autonomy scale. Level 2: Driver-assist systems that control both steering and acceleration/deceleration.

These systems shift some of the workload away from the human driver, but still require that person to be attentive at all times. Level 3: Vehicles that can drive themselves in certain situations, such as in traffic on divided highways. When in autonomous mode, human intervention is not needed. But a human driver must be ready to take over when the vehicle encounters a situation that exceeds its limits.

6. U.S. Department of Transportation, Preparing for the Future of Transportation, Automated Vehicles 3.0


System Safety

The key to achieving system safety is to establish a robust

design process and follow a strict validation process.

We are setting the highest standards in building our self-

driving cars with design redundancies and safety strategies

to handle autonomous driving system malfunctions and

errors. AutoX’s entire system features these strategies.

In the How Our Self-driving Car “Sees“ section, we share

our methodology for designing and building our sensors

and other equipment that enable our self-driving cars to

“see”. In the Full Stack Redundancy chapter, we discuss our

design principle of providing redundancy for the entire self-

driving system, from hardware to software to operations.

In the Testing and Validation section, we share our data-

driven development methods and our rigorous testing and

validation process.

Operational Design Domain

A closed set of operational criteria and constraints, such

as geographic area, weather condition, time of a day, etc.,

are defined as the Operational Design Domain (ODD). The

ODD is extensively tested so that we are certain that our

autonomous driving system is able to operate safety within

it. Different testing or deployment stages have different

ODDs. In the Operational Design Domain section, we

define the ODD for our self-driving fleet.

Object and Event Detection and Response

Object and event detection and response refers to

the detection by the autonomous driving system of

circumstances that are relevant to the immediate driving

task, as well as the implementation of the appropriate

system response. In the Algorithm Redundancy and A.I.

Redundancy sections, we introduce our unique way of

safely handling and responding to immediate driving tasks.

In the The Brain of Our Cars section, we present selected

highlights of our A.I. technology that build a better and

safer self-driving platform.

Fallback (Minimal Risk Condition)

Fallback is the transition to the minimal risk condition

when a problem is encountered. In the Fallback (Minimal

Risk Condition) section, we discuss our implementation of

the minimal risk condition transition process.

Human Machine Interface

Human Machine Interface (HMI) describes a series of

software and hardware user interfaces that help first

responders, customers, and other road users to obtain

necessary information about our self-driving car, as well

as a way for them to safely engage with it. We address

this topic in depth in the Human Machine Interface (HMI)

section. The HMI also covers the interaction between

the vehicle and the remote operator, and is extensively

covered in the Human Remote Operator section.

Cybersecurity

AutoX has followed a thorough process to minimize the

risks of cybersecurity threats. This is especially important

since AutoX has built a teleoperation system which allows

human operators to control the vehicles remotely. In the

Cybersecurity section, we have introduced our methods

to ensure the cybersecurity of the vehicle and the remote

command center.

In the guidance document Automated Driving Systems 2.0: A Vision for Safety,

the National Highway Traffic Safety Administration (NHTSA) has outlined 12

topics that the self-driving system manufacturer should pay attention to for

achieving safety. Below, we outline the sections in our report in which each

of these topics is addressed.

Safety Elements


Crashworthiness

Crashworthiness is the consideration and practice of how

to best protect vehicle occupants in a collision. AutoX

integrates its self-driving technology with Lincoln MKZs and

Chrysler Pacificas, which meet applicable requirements

of the Federal Motor Vehicle Safety Standards (FMVSS)

as issued by the National Highway Traffic Safety

Administration (NHTSA).

Post-Crash ADS Behavior

A well-designed post-crash behavior ensures that the

autonomous driving system returns to a safe state

immediately after being involved in a crash. AutoX has

standardized the behavior of the vehicle after a crash,

which minimizes the risk to first responders and other road

users. In the Post Crash Behavior section, we provide a

brief introduction to the desired post-crash behavior of our

self-driving cars.

Data Recording

Learning from crash data is a central component to the

safety potential of the autonomous driving system. In

the Data Recording section, we present our strategies

to ensure the recording, security, and proper usages of

testing data from crashes.

Customer Education and Training

Education and training are imperative for increased safety

during the deployment of the autonomous driving system.

It is beneficial to develop, document, and maintain

employee and customer education and training to address

the anticipated differences in the use and operation

of the autonomous driving system from those of the

conventional vehicles that the public owns and operates

today. In the Public Engagement section, we take a deeper

dive into our practices of conducting customer education

and training for safe self-driving testing and future self-

driving deliveries.

Federal, State, and Local Laws

AutoX ensures that our autonomous driving system

adheres to all applicable Federal, State, and local laws. We

will promptly update our system to reflect changes to the

laws. We discuss this in the Federal, State, and Local Laws

section.

OUR SELF-DRIVING TECHNOLOGY 9

18

26

35

39

How Our Self-driving Car “Sees“

The Brain of Our Cars

Fallback (Minimal Risk Condition)

Data Recording

Cybersecurity

10-11

12-15

16

17

17

19

20

21

22

22

23-25

27-28

29-33

34

34

36

36

37

37

38

Sensor Redundancy

Algorithm Redundancy

A.I. Redundancy

System Redundancy

Hardware Redundancy

Human Remote Operator

Operational Design Domain

Testing and Validation

Safety Driver and Remote Operator Training

Federal, State, and Local Laws

Human Machine Interface (HMI)

Showing the Driving Status of the Vehicle

Forced A.I. and Forced Drive-by-wire Disengagement

Post Crash Behavior

Public Engagement

FULL STACK REDUNDANCY

TESTING & VALIDATION

EVERYONE’S SAFETY IS OURPRIORITY

CONCLUSION

CONTENTS INTRODUCTION 3-7


Safety has been at the forefront of our minds from the very beginning. We

believe that a safe autonomous driving system can be engineered through

comprehensive design, reliable implementation, and extensive stress testing.

By combining selected sensors with cutting-edge A.I., the systems we build

have a high-resolution perception of their surroundings and are capable of

making safe decisions in all kinds of circumstances. AutoX has strict testing

and vehicle deployment protocols, ensuring that every AutoX self-driving car

on the road is in excellent operating condition and ready to provide safe and

reliable transportation.

Safety in Design

OUR SELF-DRIVING TECHNOLOGY

CHAPTER 1


HOW OUR SELF-DRIVING CAR “SEES“

AutoX’s innovative camera perception module provides a

robust, highly accurate object detection and classification

system of the surrounding environment. The combination

of high frame rates, high resolution, and rich color

information makes cameras the ideal backbone for our

sensor suite. Our cameras are critical for mapping, lane

detection, the recognition of traffic lights and traffic signs,

and many other tasks.

The Radar system adds another layer of redundancy onto

the perception module. Radar utilizes electromagnetic

waves to detect the position and speed of objects and

provides us with an effective method of providing better

coverage.

Light Detection and Ranging (LiDAR) is an active sensor

that emits laser beams. A 3D point cloud is generated by

tracing the reflection of laser beams that strike objects. This

is combined with the information provided by the camera

perception system, which creates a layer of redundancy

for our self-driving systems. For instance, pedestrians,

bicyclists, and others on the road are detected with the

combination of LiDAR and camera perception.

Having a well-designed fleet management system and

stable communication with our vehicles is essential as it

allows AutoX to monitor and remote control every one of

our cars. The vehicles will maintain both data and radio

communication links to our fleet command center.

Camera Vision

Radar

LiDAR

Network Antenna and GPS


AutoX has designed a human-machine interface that allows other road

users to interact with the vehicle. A driving status display screen at the back

of the vehicle informs the public at all times whether or not the vehicle

is currently in self-driving mode. While our company’s ethos is to ensure

the safety of everyone that our vehicles share the road with, emergencies

and unexpected issues are a possible reality that we must be prepared

for. We have implemented an emergency stop button that enables law

enforcement to bring the vehicle to a complete stop in a safe manner. The

officer or responder may contact the vehicle’s remote operators and take

control of the vehicle if needed.

Driving Status Display and Emergency Stop Button

AutoX puts safety in the hands of the public by allowing them to safely disengage the autonomous mode if necessary.


The world’s most talented experts in computer vision, autonomous

driving, and robotics come together at AutoX to develop the brain

of our cars. We have developed numerous innovative methods in

the fields of visual perception, robotics, deep learning, and other

key areas of artificial intelligence. The AutoX team strives to find

ground-breaking solutions to unprecedented problems and share

an unwavering pursuit of technological excellence. The result has

been a unique combination of independent research and safety-

oriented engineering. With our passion and dedication leading

us, we will continue to maintain our rapid progress as we take

driverless vehicles from concept to reality.

The Brain of Our CarsWe are building the brain of a reliable autonomous vehicle to serve our community safely

Inside the Self-Driving Car’s Brain

The localization module pinpoints the vehicle’s exact location. AutoX creates its in-house HD 3D mapping and localization technology and uses real-time sensing to ensure that the maps are up to date.

The perception module allows the vehicle to be informed about its dynamic surroundings. Accurate object recognition and scene understanding are some of the keys to achieving safety. AutoX uses multi-sensor fusion to accomplish this.

The prediction module anticipates other road users’ behaviors and trajectories. This information is then provided to the decision and planning module.

AutoX’s self-driving car is analyzing and optimizing every second to make the safest decision.

The control module takes consideration of the kinematics and dynamics of the vehicle and calculates how much brake, throttle, and steering should be applied.

Localization

Prediction

Perception

Decision & Planning

Control


Perception is one of the most challenging tasks for a self-driving vehicle. Our roads are shared by human drivers, cyclists, pedestrians and others, so it is imperative that autonomous vehicles be able to identify, characterize, and react appropriately to them. Road users and other objects are frequently located close to or in front/behind one another - a typical situation is a person standing next to a tree by the side of the road. The eyes of a human driver can easily identify that the pedestrian and the tree are separate objects, and our minds can prepare for the possibility of the pedestrian crossing the road. One major challenge for the autonomous vehicle is to distinguish and recognize each individual object. We leverage our extensive research and development in multi-sensor fusion technology, which provides high precision perception for the A.I. to “see“ reliably and accurately.

Our high resolution sensing goes beyond merely identifying objects. The perception module provides detailed information regarding an object’s orientation, speed, and motion trajectory. This is invaluable information for the prediction module to forecast future motion and informs the next move of the vehicle accordingly. This ability to understand our current environment and predict its state in the immediate future using our perception module’s high resolution sensing greatly enhances the safety of our vehicles.

We have Created a High Resolution Perception Module

At AutoX, we use a variety of carefully selected sensors

to provide us with a holisitic and complete picture of our

vehicles’ surroundings. We combine the high resolution

and rich color information of cameras with the ability

of LiDAR to accurately measure distance and speed.

Coupled with other sensors such as radar, we have

identified a complementary set of sensors, effectively

giving our autonomous cars multiple “senses”.

Different sensors provide layers of redundancy to one

another. We frequently cross-check their readings to

ensure that no object is left undetected and to eliminate

false positives. We are also able to lean more heavily on

just one of them when the other is rendered less effective,

allowing our system to be robust to changing conditions.

Dual main sensors for redundancy

Using our perception module with multi-sensor fusion technology, our A.I. is able to distinguish the flagger and the dynamic traffic sign he is holding. Our system can also detect if the sign is flipped to read “SLOW” insead of “STOP”.


Camera image segmentation is the process of analyzing

and detecting different objects from camera inputs and

segmenting the image by finding out what object each pixel

of the image belongs to, such as trees, sky, different types of

vehicles, roads, and road markings. AutoX’s system is able to

analyze and segment camera inputs in real time.

3D object information is critical in the perception

module of autonomous vehicles. We use 3D information

to calculate the dimensions, orientations, and velocities

of surrounding objects. The AutoX approach leverages

color information provided by cameras, 3D information

from LiDAR, and information from other sensors to

provide the decision-engine with enough data to make

safe decisions.

Realtime object recognition

Where? Which way? How fast?

Testing of our real-time segmentation algorithm in highly occluded scenarios in downtown San Francisco.

Segmentation results: the driveable area is shown in pink and the lane detection is shown in cyan. The lane marking detection result is stable under direct sunlight and other lighting conditions.

Based on the camera image, we are able to recognize the heading of the car which helps us to obtain more accurate orientation and velocity information of other cars. The rear of each vehicle is encased by a red square and the front in a green square.


We have created systematic methods for multi-sensor

calibration and synchronization. By synchronizing data from

multiple sensors such as cameras and LiDARs, our self-

driving cars are able to see the world in 3D point clouds with

rich semantic information.

HD 3D maps provide detailed road information for the

autonomous vehicle. AutoX combines the data from

multiple sensors including cameras, LiDARs, GPS, and

IMU (Inertial Measurement Unit) to build large scale HD

3D maps with multi-channel information. The larger the

map is, the more challenging it is for the map construction

to be fully autonomous. For example, when the same

intersection is scanned twice by the mapping vehicle, the

algorithm must recognize that the two scan results are

for the same intersection; the map will otherwise contain

an error. We’ve been tirelessly working to solve such

technical challenges. Over the past two years, we’ve built

an automated loop closure system that is more robust

and efficient for large scale HD map building.

Sensor Fusion Large-scale High Definition 3D Maps

Camera + LiDAR fused image

AutoX team built the HD 3D map for North San Jose near our home


AutoX’s autonomous driving system has a fallback strategy

that is triggered if the testing vehicle is operating outside

the operational design domain (ODD). A series of reacting

plans will be executed when such situations are detected.

AutoX’s system features a reliable out-of-ODD detection

and is designed to ensure that the minimal risk fallback is

always enabled.

FALLBACK (MINIMAL RISK CONDITION)

There are two aspects of the out-of-ODD detection

in AutoX’s system. First, our team has developed

a comprehensive vehicle health monitor that runs

alongside the A.I. software. The health monitor is

able to detect errors in the message flow amongst

the various software and hardware modules of the

autonomous vehicle system. If errors are detected, the

health monitor will notify the A.I. system and provide

an audible notification to the safety driver or a remote

takeover request to the remote operator. Second, every

AutoX testing vehicle is constantly alerted of the change

of environment by the A.I., a safety driver, or a trained

remote control operator. If any environmental condition

changes are detected (e.g. a sudden heavy rain), the

safety driver and/or remote operator will be able to take

over the testing vehicle or activate a pre-programmed

automatic minimal risk condition fallback.

AutoX’s minimal risk condition fallback strategy

consists of three parts: autonomously attempting to

pull the vehicle over, notifying the safety driver and/

or remote operator, which allows vehicle takeover.

When an out-of-ODD situation is detected or an

out-of-ODD status is received by a remote operator,

the minimal risk condition fallback process will be

activated, commencing the process of autonomously

pulling the vehicle over. This relies on minimal sensors

and software components to come to a safe stop, and

should therefore be operational even if some part of

the A.I. system is not functional. AutoX’s system will

then notify the safety driver or the remote operator

immediately when beginning the process of pulling

over. The safety driver or the remote operator can

take over the testing vehicle at any time.

Out-of-Operational-Design-Domain Detection

Minimal Risk Condition Fallback


AutoX has developed a powerful black box system for data

recording during autonomous vehicle testing. The black

box system is able to generate detailed datasets of a whole

test drive, or span three minutes before and after triggering

events. The black box system can be triggered manually by

a safety driver or automatically by the A.I. system. The data

recorded by the black box system includes vehicle position,

velocity, raw sensor input from the LiDAR, cameras, radars,

and GPS along with the corresponding perception outcome,

vehicle decision, planning, control data, and other vehicle

logged data. AutoX uses this information to reconstruct

test scenarios in our simulator, so our self-driving cars are

constantly learning from every mile of driving data collected

by our fleet vehicles. In the event of collisions or accidents,

AutoX will keep the corresponding driving data for crash

reconstruction.

AutoX implements security solutions and infrastructure

based on the cybersecurity principles published by NHTSA.

Our vehicles are equipped with a load balancing engine

that uses Quality of Service (QoS) to control bandwidth

usage, providing reliable and stable traffic to communicate

over bonded network links. We share real-time telematics

with the vehicle during all autonomous testing. The data

communications between each vehicle and the command

center are carried out via secure Virtual Private Network

(VPN) tunnels and only our command center can decrypt

and reassemble packets back into their original order. To

further improve our security practices, we have established

a fleet management program to discover new incidents

and vulnerabilities by monitoring and identifying usage and

behavior, thereby ensuring that the transmission of data is

secure and fully controlled.

DATA RECORDING

CYBERSECURITY


To ensure safety, it is essential to think a step ahead and always have a backup

plan. AutoX has designed a multi-layer architecture for redundancy in both

software and hardware. We have also introduced the “highest safety redundancy”

- human remote operators - into the self-driving car testing loop. We believe that

by designing a highly redundant system, we can minimize the possibility of failures

occurring.

Redundancy Is Safety

FULL STACK REDUNDANCY

CHAPTER 2


SENSOR REDUNDANCY

The world that self-driving cars navigate in is complex and dynamic; for instance, smaller vehicles are

frequently hidden behind large trucks, and it is difficult to distinguish between joggers and bushes by

the roadside. It is therefore critical to design a perception module with multiple sensors and perception

methods. AutoX has developed a customized sensor fusion technology that includes automatic multi-

sensor calibration and hardware-level synchronization. AutoX’s sensor fusion technology is able to

combine the sensing capabilities of our multiple sensors, resulting in reliable and robust perception

with a broad sensing scope.

Perceiving the world with multiple senses

We are able to precisely filter out the LiDAR points corresponding to pedestrians based on the camera segmentation image, which allows us to build a highly safe autonomous driving technology.


ALGORITHM REDUNDANCY

By designing a sophisticated planning and decision algorithm

architecture, we ensure that the brain inside the AutoX self-

driving cars always has a backup plan in mind, creating an

algorithm-level redundancy for safety. There are two aspects

to this. First, given a specific planning task, the decision and

planning modules will check various planning inputs based on

multiple criteria simultaneously. The self-driving software will

always choose the safest solution that has minimal risks. For

example, the planning software will constantly monitor all traffic

around the testing vehicle, even if it is in a protected left turn,

minimizing the risks caused by red light runners. Secondly, no

matter what the current task is, the planning and decision module

will always calculate a safe pullover route, rendering it ever-ready

to respond to an emergency.

We always have a backup plan


A.I. REDUNDANCY

At AutoX, we believe that achieving safe and reliable

Level 4 self-driving requires our system to fully utilize

the information provided by our HD 3D maps while

constantly sensing the environment in real time to

correct mistakes and out-of-date maps. When the

results from these two A.I. approaches are properly

fused together, they improve and correct each other’s

errors. This dual A.I. design also ensures that AutoX’s

vehicles will not rely exclusively on one type of sensor or

self-driving method, creating an A.I.-level of redundancy.

Running two A.I. systems simultaneously

The HD 3D Map-Based ApproachHD 3D maps are high definition pre-mappings of the driving environment. They provide important details about static road signatures, such as the location of stop signs, trees, and lane markings. During self-driving, this pre-collected data will be compared to the current sensor input and the self-driving car can precisely discern its own location. At the same time, all of the detailed semantic information from the HD 3D maps are utilized by the A.I. However, it is difficult to guarantee the accuracy of the HD 3D map on a large scale. Thus, we need the real-time sensing approach.

The Real-time Sensing ApproachThe high-resolution real-time sensing approach is more similar to a human driving. In the same way we use our senses to locate lane markings and other cars, this approach uses fused data from multiple sensors and feeds it into the perception algorithm, which is running lane detection and other perception tasks in real time. This approach has a high technological barrier because it requires cutting-edge computer vision and A.I., however it provides AutoX with accurate and up-to-date information, helping the self-driving car respond to sudden unexpected situations. Furthermore, the approach is more robust to transient events such as road construction, which is out of the realm of the map-based approach.

A Tale of Two Approaches:

HD 3D Map-Based and Real-time Sensing


SYSTEM REDUNDANCY HARDWARE REDUNDANCY

AutoX vehicles feature two main computers. Should one

computer experience a failure, the second computer will

immediately take over the vehicle, pull over, and make

a safe stop. This decentralized dual computing system

utilizes two reliable computing platforms with the same

computing capability. While this ensures computational

redundancy, we also equip each vehicle with redundant

Drive-by-wire control unit that allows the A.I. to drive the

vehicle. This redundant system approach also accounts

for potential failures in the main system. There is a

fallback system available to take control of the vehicle if

a hardware or software discrepancy is detected.

Decentralized Dual Computing and Drive-by-Wire Control Unit

AutoX has designed a fully redundant hardware

infrastructure in our vehicles to handle hardware issues

such as power failures. It includes redundant backup

power, a redundant emergency stop button, and

redundant connectivity devices.

Double Infrastructure for Safety


A remote human operator is the “Highest Safety

Redundancy” for the fully autonmous vehicle. AutoX

has developed a powerful and reliable A.I., though

there still exist extreme situations that are difficult

for any A.I. to handle. These are called “edge cases.”

We have built a remote monitoring and teleoperating

system to enable human remote operators to help

and assist the self-driving car at anytime during

testing and deployment.

The “Highest Safety Redundancy”

Road Construction in Progress

Emergency Vehicles Need to Get By

Traffic Guard on Duty

Bad Weather

Car Accident

Force Detour

Defective Traffic Light

Road Obstruction

HUMAN REMOTE OPERATORS


There are two ways a human remote operator could help: “remote takeover” and “remote hybrid support.”

Remote takeover allows a human remote operator to

drive the car remotely as if the remote operator is in

the car. Remote operators will have a steering wheel

and brake and throttle pedals that he or she can use to

control the vehicle, much like conventional driving. We

use a minimum of four cameras to get a surrounding

view of the car. In situations such as a emergency vehicle

passing by, the remote operator is able to take control of

the car and “drive” it to the side of the road and prevent

slowdowns and accidents. There is also a continuous two-

way communication link maintained between the testing

vehicle and the AutoX command center. The human

remote operator can react to law enforcement and other

first responders immediately.

Our self-driving system senses the environment in

many ways. Our vehicles are equipped with sensors

such as LiDARs and radars that perceive the world in a

way that humans cannot. However, in some cases, the

A.I. may still struggle with making decisions since there

are so many challenging situations to handle. With this

in mind, AutoX has designed a remote hybrid support

system, which allows the self-driving car to “ask for

help” with certain decisions that it finds challenging. The

human remote operator can also check the A.I. decision

results and correct or overwrite them when unexpected

errors occur.

Remote Takeover

Remote Hybrid Support


AutoX’s remote control system is a part of the remote

teleoperating system. It provides us with a unique layer

of redundancy and the ability to help our A.I. handle

edge cases. At the same time, a great deal hinges on the

human remote operator. AutoX ensures that each of our

operators completes a rigorous training program, and we

provide a remote control system that closely mimics the

process of operating a normal car. The operator’s controls

consist of a steering wheel, accelerator, and brake pedal,

much like a conventional vehicle. The controls are carefully

calibrated to mimic the sense of realistic driving feedback,

and the ergonomics of the entire setup are close to that of

a real car.

Building a reliable remote teleoperating system

We are always watching our vehicles and are ready for human engagement during testing, even if there is no one physically inside the vehicle.

Remote control

Remote hybrid support

Due to the importance of the remote control system, a

great deal of care has been devoted to its development. The

remote control system and the remote hybrid supporting

system have a strict real-time constraint. We cannot tolerate

even a half-second delay or glitches in video streaming or

vehicle control. AutoX engineers have ensured that all the

test vehicles are always connected to AutoX command center

reliably through innovations in both hardware and software.

In terms of hardware, we use multiple high speed modem

bonding and bandwidth aggregation technology. Multiple

channels of high speed internet from different carriers are

used together to share the bandwidth, so that we can get

a much higher data uploading speed compared to other

applications. If one modem fails, the payload can seamlessly

be transferred to other modems.

High resolution video can place a burden upon the network

connection, and network failures are a possibility that we

must contend with. As constant connectivity is a must, we

execute a series of strategies to ensure that the remote

operator never loses contact with the vehicle. For instance, in

the event of poor network connection, we adjust the camera

video to fit the network conditions.


By establishing strict testing and validation procedures, AutoX ensures that its

self-driving car tests are conducted safely. We have created a virtual world for

the testing of our self-driving system. Every self-driving feature is first tested

in the powerful simulated environment. Afterwards, well-trained AutoX safety

drivers and remote operators are constantly making sure that our on-road

testing is safe for all road users, the surrounding environment, and ourselves.

AutoX’s Policy and Methods for Ensuring Safe Self-driving Vehicle Testing

TESTING AND VALIDATION

CHAPTER 3


OPERATIONAL DESIGN DOMAINAt AutoX, we are developing full-stack Level 4 self-driving technology,

achieving a driving mode-specific performance by an automated driving

task1. It is therefore extremely important to understand the capability of

the self-driving car and standardize the operational design domain.

The operational design domain is a closed set of conditions in which

AutoX driverless vehicles will safely operate only if all conditional

constraints are met. The operational design domain consists of six

elements: the geographic area of testing, road type, speed range,

weather conditions, time of day and types of passengers. AutoX will

not perform Level 4 autonomous testing if any of the conditions listed

above are not fulfilled in the testing scenario. The software and hardware

systems that the AutoX driverless vehicles carry on board, as well as

1. SAE International, J3016_201806: Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles

We will only test our self-driving car within the range of its capability


related systems installed in the AutoX fleet management

and control center, are designed to perform dynamic

driving tasks in the predefined operational design

domain. The dynamic driving tasks are characterized by

the fact that, during the driverless vehicle test, the driving

assignments can be assigned and changed on the fly,

including vehicle destination re-routing, vehicle behavior

changing from city road driving to pulling over, and other

driving behaviors. However, all the driving assignments

given to AutoX driverless vehicles are assured to meet the

predefined operational design domain described in this

section.

To achieve absolute safety, if an unexpected situation

occurs during a driverless vehicle test that is outside

the operational design domain, the test will terminate

immediately and a minimal risk condition fallback will

be triggered. A human operator can take control of

the testing vehicle based on different situations. This is

known as a human operator takeover, and can refer to

either remote operator takeover or in-vehicle operator

takeover. The software and hardware systems of the

AutoX driverless vehicles are designed to ensure remote

operator takeover shortly after triggering. The remote

operator will operate the testing vehicle and transition

it to a safe status as soon as possible, resume the test if

the failing conditions are recovered, or wait for in-vehicle

human takeover or law enforcement takeover depending

on the circumstance. Note that the event that triggers

human operator takeover may not necessarily indicate a

failure in the testing vehicle’s A.I. system. For example, if

the remote operator notices that there is an accident in

the adjacent lane, he or she may make take control of the

vehicle as a precaution.

* Map for illustration purpose only


TESTING AND VALIDATION

START FROM THE VIRTUAL WORLD

Whenever new features are added to the AutoX full stack

self-driving system, we conduct tens of thousands of tests

to make sure that the new features meet all our safety

requirements. The first step of testing and validation takes

place in a virtual world: the AutoX 3D simulator.

The AutoX 3D simulator is a multifunctional simulation

and verification platform for autonomous vehicles. It is

able to simulate various scenarios, each of which can be

tailored to the particular circumstances that the team wish

to test. The simulator can accomplish five major tasks:

infrastructure building, sensor and perception simulation,

motion planning and control simulation, traffic and

decision simulation, and full stack verification.

Scenario Editing and Unit Tests

Simulated vehicles interact with virtual

environments called scenarios. The quality

of the virtual environments affects not only

the visual appearance of the simulation, but

also the quality of the sensor simulation and

performance of the simulated vehicles.

The AutoX 3D simulator scenarios are diverse,

with a variety of road types, buildings, traffic

signs, and landscapes. The scenarios are

designed to have a certain level of complexity

and realism for the sensor simulation and

localization simulation, which gives an intuitive

visual feedback to our team as well, helping

them to gauge the performance of the A.I.

algorithms in the virtual world.

3D scenarios can be easily transformed to

HD 3D maps that can be used directly in the

A.I. system, and vice versa. It can also provide

multi-sensor perception results which can be

used for control and motion planning. AutoX

engineers have tuned parameters carefully

to obtain a realistic vehicle dynamic model

that simulates engine RPM and torque output

based on different throttle and brake inputs.

Different road conditions and tire friction

conditions are simulated as well, providing

a wide range of realistic unit test scenarios

for control algorithm and motion planning

algorithm development and refinement.

In the AutoX 3D simulator, scenarios can be created using real HD 3D map collected in the real world or new virtual cities that do not exist by a powerful “world editor.”


Creating Scenarios and Edge CasesDecision making is one of the most challenging tasks in the A.I. development of an autonomous

vehicle. There are infinite edge cases that may be difficult or dangerous to reproduce in reality,

such as illegal driving behaviors or sudden traffic accidents. The AutoX 3D simulator provides

a systematic tool to define and produce those traffic scenarios in the virtual world. Other

vehicles and pedestrians are simulated, and their behaviors can be defined or controlled using

descriptive languages and other human-machine interfaces.

The simulated agents in the AutoX 3D simulator can interact with each other and the simulated

self-driving car. They too have “minds“ of their own and are able to follow (or not follow!)

the traffic rules like a real driver, including waiting or running red lights and reacting to stop

signs. Users can ascertain how the self-driving car should behave, for instance when a reckless

driver suddenly cuts in, by reproducing and testing under this situation many times in the

virtual world. In addition to the unit feature development, we can also create more complex

traffic scenarios in the AutoX 3D simulator and have the whole prediction, decision, planning,

and control A.I. in the loop. Algorithms are tested inside the virtual world with many of other

vehicles and pedestrians simulated.


Closed Loop Simulation: Adding Sensor Perception to the Simulation

The virtual world is the ideal ground for initial testing and verification of new features.

For this to be effective, however, it is essential that the perception, planning and decision

making modules of the virtual vehicles closely resemble that of the real ones. In the AutoX 3D

simulator, the entire Level 4 self-driving system is run in the virtual world. The 3D simulator

is able to produce simulated camera, LiDAR, and other sensor outputs for the virtual vehicle,

ensuring that our perception system is effectively replicated in the simulation. This way, we

can test the ability of the system to see and classify various objects. This is especially beneficial

in testing the system performance in challenging circumstances, such as situations where a

vehicle is obscured behind a larger one, or pedestrians are standing near trees. Our team

can then optimize the system’s performance and test in these scenarios as many times as is

necessary - all in the safety of the virtual world. By the time a new perception module feature

is ready to be tested in a closed environment in the real world, it has already undergone many

cycles of optimization in the virtual world.


Every one of our testing vehicles

goes through extensive pre-flight

safety checks before getting on the

road. These consist of an inspection

performed by our technicians as well

as pre-flight checklists performed by

our autonomous vehicle testers.

Mechanical inspections are performed

on each car to ensure that they are

safe for testing on public roads.

Technicians thoroughly inspect all

safety-related measures such as tire

tread, pressure, headlights, tail lights,

windshield, mirrors, etc. Cars that

do not pass this inspection are made

unavailable for testing until the issues

are resolved.

Pre-flight checklists are completed

every time before the car leaves the

garage for a test on public roads. We

standardize the procedure to ensure

all layers of components associated

with getting an autonomous vehicle

online are tested in the accurate

sequence to ensure the holistic

system is in proper conditions. The

entire procedure includes sensor suit

function checks, loading of the proper

software version, localization checks,

object detection checks, etc.

Pre-flight Safety Checks BEFORE WE GO: VEHICLE MAINTENANCE AND PREFLIGHT CHECK

We constantly monitor the components and the overall

system of each vehicle. We analyze and test our system

at multiple layers, including inspections on the vehicle

itself: vehicle serviced for tire rotation, alignment,

oil & air filter changes, brakes, and other car related

inspections, as well as sensor suit checking, computers

and Drive-by-wire (DBW) hardware checking. Some of

these services are carried out by external professionals

and are strictly monitored by our technicians.

Vehicle Maintenance

Mechanical inspections

Pre-flight checklists


FROM CLOSED TESTING SITES TO PUBLIC ROADS

After extensive testing and validation in simulation, AutoX engineers will rigorously

test the integration of the system into a test vehicle. We initially conduct unit tests

in closed testing facilities. Well-trained AutoX employees will create a series of

different scenarios mimicking real driving situations. Various regression tests from

speed control and steering control to the performance of the A.I. components will

be arranged and carried out in a systematic fashion. With these tests, we can

ensure that the vehicle operates safely within our ODD. Only then will we conduct

public road tests. A strict safety protocol will be followed for both manned and

unmanned testing of our self-driving cars. All of the self-driving testing vehicles

will be constantly monitored by a well-trained safety driver and a human remote

operator.

Data-driven Development Approach


Safety drivers and remote operators are the last line of

defense in autonomous vehicle safety. AutoX requires

its safety drivers and remote operators to complete

a training program tailored to ensuring proficiency in

identifying problems and controlling the vehicle in a

safe manner. This formal process takes 3 weeks for

each remote operator and 2 weeks for California DMV-

certified autonomous vehicle testers to complete.

Remote operator candidates must also complete this

process, along with additional training specific to remote

teleoperation tasks.

AutoX safety drivers and remote operators understand

that safety is our number one priority, and will follow our

safety policy at all times while operating our autonomous

vehicles. The operator is required to be attentive and

take control of the vehicle in the event of an emergency

and bring it to safety. Operators shall not text, talk on

the phone, eat, smoke, or do anything that they would

not do when driving an actual vehicle. Their attention

must be focused on the road, and they should be in

position to take control of the vehicle at any moment.

AutoX Assistance Operators shall obey all provisions of

the Vehicle Code and local regulation applicable to the

operation of motor vehicles. Test drivers are trained and

required to record field data and create daily reports.

These reports should reflect events completely and

truthfully.

We have designed a systematic training program for

AutoX safety drivers and remote operators. The program

primarily consists of five parts: understanding the

operational design domain, the autonomous system,

the remote control system, fleet management system

user interface training, and field training. We have also

designed an examination with both written tests and

field tests to make sure that every AutoX safety driver

and remote operator is qualified to ensure the safety of

the public and of our self-driving cars.

SAFETY DRIVER AND REMOTE OPERATOR TRAINING

FEDERAL, STATE, AND LOCAL LAWS

AutoX designs its vehicles to meet all Federal,

State, local laws, and any other government

standards. Our vehicles meet the Federal Motor

Vehicle Safety Standards and other relevant

requirements. We also actively communicate

with local authorities, local law enforcement

agencies, and local communities to ensure

that we follow all the government laws and

instructions in terms of our operational and

business practices.


AutoX is preparing for driverless vehicle testing. We have devoted a great deal

of effort to building a stable, reliable, and failure proof self-driving software and

hardware system. We are also actively communicating with local law enforcement

agencies and local communities to standardize a series of communication

protocols and implementations. We will specifically address public safety and the

safety of the law enforcement during their engagement with our self-driving cars.

Designing a standardized protocol for public safety

EVERYONE’S SAFETY IS OUR PRIORITY

CHAPTER 4


HUMAN-MACHINE INTERFACE (HMI)

AutoX’s self-driving cars will become part of the communities that

they serve, and their presence on the roads calls for a means for other

road users to communicate with them. Our approach to this is three-

fold:

1 We clearly communicate the status of the vehicle at all times, via

a screen at the back of the vehicle. This allows bystanders to be

aware of the state of the self-driving system.

2 We enable law enforcement and other first responders to bring

the vehicle to a safe stop and disengage from autonomous

driving mode in the event of an emergency. This is accomplished by

using either of the emergency vehicles inside or outside the vehicle.

3 We provide an on-board radio as well a cellular phone to

enable contact with vehicle’s remote operator, who can offer

information and support to first responders. We can also operate the

vehicle remotely as required by the situation.

SHOWING THE DRIVING STATUS OF THE VEHICLE

There are three possible driving statuses of AutoX self-driving vehicles: Auto-drive mode, Remote Control mode, and Manual Drive mode.

In Auto-drive mode, the vehicle is controlled by the self-driving software. This indicates that the system is healthy; there are mechanisms in place to detect any anomalies in the self-driving system that can trigger a remote takeover. This mode indicates that AutoX’s level 4 autonomous driving technology is in full control.

In Remote Control mode, the AutoX self-driving car is remotely controlled by a human remote operator. The remote operator is able to bypass the self-driving software and control the vehicle from the command center. The remote control mode is designed as a fallback mode for edge case handling and emergency takeover.

In Manual Drive mode, the testing vehicle is fully controlled by a human driver inside the vehicle. The autonomous vehicle is effectively a normal motor vehicle; no self-driving is taking place.

We have designed a driving status display located on the rear side of the vehicle, helping first responders and other road users to identify the driving status of the vehicle.

Exterior emergency button and A.I. control disengagement switch


FORCED A.I. DISENGAGEMENT AND FORCED DRIVE-BY-WIRE DISENGAGEMENT

POST-CRASH BEHAVIOR

In the event of a collision or accident, the self-driving

system may no longer function as expected due to

hardware damage. AutoX has designed an emergency

Human Machine Interface (HMI) to protect law

enforcement officers and other first responders who

may engage with the autonomous vehicle. These consist

of interior and exterior emergency stop buttons and

emergency drive-by-wire disengagement switches. When

conducting a drive-by-wire disengagement, the testing

vehicle will no longer be controlled by any self-driving

software, including the remote control system. This way,

the law enforcement officers and other first responders

can safely interact with the self-driving car, and move it

out of an accident scene to prevent any further collisions.

AutoX has designed an emergency protocol defining

the post-crash behavior of our self-driving testing

vehicles. We are also publishing an AutoX driverless

vehicle law enforcement engagement plan for the

reference of law enforcement agencies and the general

public. AutoX believes that a clear, transparent, and

standardized interaction protocol for any emergency

scenarios can prevent secondary accidents caused by

miscommunication and misunderstandings.

All AutoX driverless test vehicles will be constantly being

monitored by an AutoX remote control operator during

the self-driving car testing. If an AutoX self-driving test

vehicle is in an accident or if a collision is imminent,

the Absolute Emergency Braking (AEB) system will be

activated and the vehicle will come to a full stop. The

remote operator will assess the collision. If there is a

need to move the vehicle to the side of the road, and the

vehicle is in a condition to do so, the remote operator

will do so via remote control. If there is an accident

involving other road users or if there is damage to public

properties, the remote operator will call 911 to report the

accident. The AutoX fleet management team will arrive at

the collision scene as soon as possible to provide on-site

support for law enforcement.

It is of upmost importance to us that our vehicles be

safe, courteous users of the roads. We will closely

cooperate with law enforcement as we continuously test

and perfect our technology.


AutoX prioritizes above all the safety of everyone we share the road with. In order to achieve

this, we communicate transparently with our users about our technology and how we handle

emergencies. In the AutoX app, we will provide a detailed description of the vehicle systems

and how the customer should approach and interact with them. The vehicle itself provides

addition instruction through clear, concise instructions posted near its emergency button.

This safety report is meant to serve as an introduction to the operation of our vehicle and

provide a deeper dive into our safety systems. AutoX will continue to produce such content to

share with the public.

All AutoX operators are ambassadors and representatives of our vehicles. They are well-

trained and up-to-date with the operation protocol and our technology. They are ready to

interact with the public to address any questions about our autonomous vehicles.

PUBLIC ENGAGEMENT


AutoX has a vision to connect people using our autonomous vehicle technology. The ability

to autonomously transport physical objects opens a whole new world of possibilities.

It promises to save more time that will no longer be lost to traffic and errands. As we

strive to accomplish this, we are cognizant of the fact that our vehicles will become part

of the communities that they serve. As such, the safety of our customers, of other drivers,

pedestrians, and all other road users is the highest priority. This calls for a system that

has safety and reliability engineered into its very fabric - a product that is engineered

from the very beginning with safety in mind. In this report, we have sketched out the

myriad of strategies we have undertaken to ensure the safety our vehicles, from having

high resolution sensing systems to redundancy in both software and hardware to human

oversight via our remote teleoperating system. We have made significant headway in

creating robust, reliable self-driving cars, and we will strive for perfection in every detail.

The road ahead is full of promise, and safe AutoX autonomous vehicles are the best way to

reach the future.

CONCLUSION

Documents

THE AUTOX SAFETY FACTOR